Configuring NPS 2012 for Two-factor Authentication | Security

WiKID Systems is an Independent Software Vendor (ISV) that provides an easy-to-implement and maintain two-factor authentication (server and software tokens) solution designed for organizations looking for highly-reliable, scalable, on-premises and secure two-factor authentication. In our experience, prospects get our server up and running quickly, but then can't get RADIUS working through NPS. We advise that RADIUS is a great authentication protocol because it is so simple to use. However, Microsoft has succeeded in making it complex. This tutorial is part of our effort to make using NPS easier because if you are using AD, then using NPS is the best way (from a security perspective) to perform authorization in AD and authentication in a third-party server, such as the WiKID Strong Authentication Server.

Some things you should keep in mind:

• The users will log in with a one-time password and their AD username. No AD password is required when you use WiKID because both the 'something you know' (the PIN) and 'something you have' (the asymmetric encryption key) are represented in the OTP. This works well for all VPNs, etc because you just enter the OTP into the password field.
• NPS seems to have a lot of possible conditions with confusing names that do not work, at least in typical VPN configurations. If your configuration is not working, go with the most permissive condition (such 'at any time') and then test. If it works, go back and add or substitute conditions.
• Use a tool like tcpdump or wireshark to see the actual requests and where they are going. People often think 'my authentication server is not responding' when in fact, it is not getting the packets at all.
• IP addresses are important in RADIUS. If the packets are not coming from the correct IP address, RADIUS will ignore them.
• The basic configuration will look like: VPN >> NPS/AD >> WiKID. In RADIUS terms, the VPN will be client to NPS and NPS will be a server to the VPN and a client to WiKID. While we are using WiKID for this example, because RADIUS is an open standard, this configuration works with many solutions.

Add the NPS Role

If you haven't already, add NPS to server.

Start the Add Role wizard:

Choose a server for it:

Choose Network Policy and Access Server

Click Next, there should not be any extra features you need to add.

Click Next again.

Click Next. At this time, please keep it simple and only install NPS.

Once the install is complete, start NPS and register the server in Active Directory.

Configure NPS

After installation, we need to configure NPS. We will first add your VPN or whatever service will be getting two-factor authentication as the radius client.

Right click RADIUS Client and select new. Use the IP address of the server or service to which you are adding two-factor authentication, such as your Cisco VPN, Citrix server, RDP Gateway, Linux server, etc.

Click OK, then right click on Remote RADIUS Server and select New. Give it a name, such as WiKID. Enter the IP Address of your WiKID server.

Select the Authentication/Accounting tab. Enter a shared secret. This is the same shared secret that will be entered on the WiKID server in the Network Clients tab. Check the box "Request must contain the message authenticator attribute".

Click OK. Now we need to create a policy that will use these RADIUS settings. Right click on Connection Request Policy and Select New. For this the type of network server was left as unspecified.

Click Next. Then Add to create a condition. Since we know all the requests will be coming from a certain IP address, we can use Client IPv4 Address as the condition. Please only select this at this time. Note that conditions such as username or the similarly named "Access Client IPv4" or the "NAS IPv4 address" condition do not work!

Click OK, then Next. Select Forward request to the following remote RADIUS server and the WiKID group in the drop down.

Select Next.

Click on Vendor Specific and Add. Scroll down and choose Remote-RADIUS-to-Windows-User-Mapping.

Set it to True.

Then click Close. And Ok. Right click on "Use Windows Authentication for all users" and disable it. NPS should now look like this:

Now, we need to create a Network Policy. Right click on Network Policy and select New.

Click Next and add a condition. For testing, we added a pointless condition allowing users to log in at any time. We recommend you start with this, test it and then come back and make a more restrictive constraint.

Next, specify that access should be granted.

If that works, add a more restrictive constraint. Typically, you will want to make sure that the user is authorized for remote access by their group membership. Double-click on Windows Groups and choose the proper group for remote access.

This is the best way to continue managing your users in AD and is the best reason to use NPS. If an employee is fired or their role is changed, it is managed in AD. Simply disabling the user prevents them from gaining access. Your AD admins (or HR) do not need to be admins on your two-factor authentication server.

Next, you can specify which EAP or CHAP/PAP protocols you want. Note that some services such as PAM-RADIUS only support PAP and that the encryption in CHAP is terrible. RADIUS should really only be used on trusted networks. Using one-time passcodes does limit the risks.

Click Next through the next three screens and then Finish. You should now have one enabled Network Policy.

You should now be able to log in to your VPN using your AD username and WiKID OTP. If you can, test removing the user from their AD group and see if it fails. If you cannot, check your VPN logs, the Windows Security Event logs and your WiKID logs, in that order. Follow the logical path of the packets and look for the error. Often, you will see an error in the event viewer such as "Request did not match a policy", which indicates that one of your NPS policies is incorrect.

Attackers rely on credential abuse. Adding two-factor authentication to your remote access solution is a great way to limit infiltration. Including your directory infrastructure in the process is the best way to avoid problems when disabling users. Please download a free evaluation of the WiKID server and let us know how we can help.

Source: http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/